dbus: remove .bbappend - fix exist upstream

CVE-2014-3532 is fixed in dbus [1] and exists in dbus version 1.8.20 which poky master is using. [1] http://cgit.freedesktop.org/dbus/dbus/commit/?id=9ca90648fc870c24d852ce6d7ce9387a9fc9a94a Signed-off-by: Nora Björklund <nora.bjorklund@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Nora Björklund <nora.bjorklund@enea.com> 2016-01-25 14:32:54 +0100
committer: Adrian Dudau <adrian.dudau@enea.com> 2016-01-26 11:39:35 +0100
commit: facc35ed132049f8be4b450c91309762df429772 (patch)
tree: 7323eda8ae079756b485b4455eecc9a641734727
parent: 8912651af3c58c2b7f4fdc7b0b0de9ef3ca8f6cf (diff)
download: meta-el-common-facc35ed132049f8be4b450c91309762df429772.tar.gz
2 files changed, 0 insertions, 117 deletions
diff --git a/recipes-core/dbus/dbus_1.8.2.bbappend b/recipes-core/dbus/dbus_1.8.2.bbappend
deleted file mode 100644
index 3a6cb06..0000000
--- a/recipes-core/dbus/dbus_1.8.2.bbappend
+++ /dev/null
@@ -1,5 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-SRC_URI += "\
-            file://CVE-2014-3532.patch \
-            "
diff --git a/recipes-core/dbus/files/CVE-2014-3532.patch b/recipes-core/dbus/files/CVE-2014-3532.patch
deleted file mode 100644
index 95f110c..0000000
--- a/recipes-core/dbus/files/CVE-2014-3532.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-Date: Tue, 24 Jun 2014 17:57:14 +0100
-Subject: Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS)
-Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
-sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
-when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
-applications. A malicious client could use this to force a victim system
-service to be disconnected from the system bus; the victim would likely
-respond by exiting. This is a denial of service (fd.o #80163,
-CVE-2014-3532).
-This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
-the connection.
-Upstream-Status: Backport
-Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163
-Reviewed-by: Thiago Macieira <thiago@kde.org>
-[altered commit message to explain DoS significance -smcv]
-Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
-index de3a18c..f4ba0fa 100644
--- a/dbus/dbus-sysdeps.c
-+++ b/dbus/dbus-sysdeps.c
-@@ -762,6 +762,20 @@ _dbus_get_is_errno_epipe (void)
- }
- 
- /**
-+ * See if errno is ETOOMANYREFS
-+ * @returns #TRUE if errno == ETOOMANYREFS
-+ */
-+dbus_bool_t
-+_dbus_get_is_errno_etoomanyrefs (void)
-+{
-+#ifdef ETOOMANYREFS
-+  return errno == ETOOMANYREFS;
-+#else
-+  return FALSE;
-+#endif
-+}
-+
-+/**
-  * Get error message from errno
-  * @returns _dbus_strerror(errno)
-  */
-diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
-index e586946..21033eb 100644
--- a/dbus/dbus-sysdeps.h
-+++ b/dbus/dbus-sysdeps.h
-@@ -384,6 +384,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void);
- dbus_bool_t _dbus_get_is_errno_enomem                (void);
- dbus_bool_t _dbus_get_is_errno_eintr                 (void);
- dbus_bool_t _dbus_get_is_errno_epipe                 (void);
-+dbus_bool_t _dbus_get_is_errno_etoomanyrefs           (void);
- const char* _dbus_strerror_from_errno                (void);
- 
- void _dbus_disable_sigpipe (void);
-diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c
-index 774f459..199d3b5 100644
--- a/dbus/dbus-transport-socket.c
-+++ b/dbus/dbus-transport-socket.c
-@@ -645,12 +645,44 @@ do_writing (DBusTransport *transport)
-         {
-           /* EINTR already handled for us */
-           
-          /* For some discussion of why we also ignore EPIPE here, see
-+          /* If the other end closed the socket with close() or shutdown(), we
-+           * receive EPIPE here but we must not close the socket yet: there
-+           * might still be some data to read. See:
-            * http://lists.freedesktop.org/archives/dbus/2008-March/009526.html
-            */
-           
-           if (_dbus_get_is_errno_eagain_or_ewouldblock () || _dbus_get_is_errno_epipe ())
-             goto out;
-+
-+          /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg()
-+           * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd
-+           * mechanism (SCM_RIGHTS) is used recursively with a recursion level
-+           * of maximum 4. The kernel does not have an API to check whether
-+           * the passed fds can be forwarded and it can change asynchronously.
-+           * See:
-+           * https://bugs.freedesktop.org/show_bug.cgi?id=80163
-+           */
-+
-+          else if (_dbus_get_is_errno_etoomanyrefs ())
-+            {
-+              /* We only send fds in the first byte of the message.
-+               * ETOOMANYREFS cannot happen after.
-+               */
-+              _dbus_assert (socket_transport->message_bytes_written == 0);
-+
-+              _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n",
-+                             total_bytes_to_write);
-+
-+              socket_transport->message_bytes_written = 0;
-+              _dbus_string_set_length (&socket_transport->encoded_outgoing, 0);
-+              _dbus_string_compact (&socket_transport->encoded_outgoing, 2048);
-+
-+              /* The message was not actually sent but it needs to be removed
-+               * from the outgoing queue
-+               */
-+              _dbus_connection_message_sent_unlocked (transport->connection,
-+                                                      message);
-+            }
-           else
-             {
-               _dbus_verbose ("Error writing to remote app: %s\n",
-- 
-cgit v0.10.2
author	Nora Björklund <nora.bjorklund@enea.com>	2016-01-25 14:32:54 +0100
committer	Adrian Dudau <adrian.dudau@enea.com>	2016-01-26 11:39:35 +0100
commit	facc35ed132049f8be4b450c91309762df429772 (patch)
tree	7323eda8ae079756b485b4455eecc9a641734727
parent	8912651af3c58c2b7f4fdc7b0b0de9ef3ca8f6cf (diff)
download	meta-el-common-facc35ed132049f8be4b450c91309762df429772.tar.gz

diff --git a/recipes-core/dbus/dbus_1.8.2.bbappend b/recipes-core/dbus/dbus_1.8.2.bbappend deleted file mode 100644 index 3a6cb06..0000000 --- a/recipes-core/dbus/dbus_1.8.2.bbappend +++ /dev/null
@@ -1,5 +0,0 @@
1	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
2
3	SRC_URI += "\
4	file://CVE-2014-3532.patch \
5	"


diff --git a/recipes-core/dbus/files/CVE-2014-3532.patch b/recipes-core/dbus/files/CVE-2014-3532.patch deleted file mode 100644 index 95f110c..0000000 --- a/recipes-core/dbus/files/CVE-2014-3532.patch +++ /dev/null
@@ -1,112 +0,0 @@
1	Date: Tue, 24 Jun 2014 17:57:14 +0100
2	Subject: Handle ETOOMANYREFS when sending recursive fds (SCM_RIGHTS)
3
4	Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg() on Unix
5	sockets returns -1 errno=ETOOMANYREFS ("Too many references: cannot splice")
6	when the passfd mechanism (SCM_RIGHTS) is "abusively" used recursively by
7	applications. A malicious client could use this to force a victim system
8	service to be disconnected from the system bus; the victim would likely
9	respond by exiting. This is a denial of service (fd.o #80163,
10	CVE-2014-3532).
11
12	This patch silently drops the D-Bus message on ETOOMANYREFS and does not close
13	the connection.
14
15	Upstream-Status: Backport
16
17	Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80163
18	Reviewed-by: Thiago Macieira <thiago@kde.org>
19	[altered commit message to explain DoS significance -smcv]
20	Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
22
23	diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c
24	index de3a18c..f4ba0fa 100644
25	--- a/dbus/dbus-sysdeps.c
26	+++ b/dbus/dbus-sysdeps.c
27	@@ -762,6 +762,20 @@ _dbus_get_is_errno_epipe (void)
28	}
29
30	/**
31	+ * See if errno is ETOOMANYREFS
32	+ * @returns #TRUE if errno == ETOOMANYREFS
33	+ */
34	+dbus_bool_t
35	+_dbus_get_is_errno_etoomanyrefs (void)
36	+{
37	+#ifdef ETOOMANYREFS
38	+ return errno == ETOOMANYREFS;
39	+#else
40	+ return FALSE;
41	+#endif
42	+}
43	+
44	+/**
45	* Get error message from errno
46	* @returns _dbus_strerror(errno)
47	*/
48	diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
49	index e586946..21033eb 100644
50	--- a/dbus/dbus-sysdeps.h
51	+++ b/dbus/dbus-sysdeps.h
52	@@ -384,6 +384,7 @@ dbus_bool_t _dbus_get_is_errno_eagain_or_ewouldblock (void);
53	dbus_bool_t _dbus_get_is_errno_enomem (void);
54	dbus_bool_t _dbus_get_is_errno_eintr (void);
55	dbus_bool_t _dbus_get_is_errno_epipe (void);
56	+dbus_bool_t _dbus_get_is_errno_etoomanyrefs (void);
57	const char* _dbus_strerror_from_errno (void);
58
59	void _dbus_disable_sigpipe (void);
60	diff --git a/dbus/dbus-transport-socket.c b/dbus/dbus-transport-socket.c
61	index 774f459..199d3b5 100644
62	--- a/dbus/dbus-transport-socket.c
63	+++ b/dbus/dbus-transport-socket.c
64	@@ -645,12 +645,44 @@ do_writing (DBusTransport *transport)
65	{
66	/* EINTR already handled for us */
67
68	- /* For some discussion of why we also ignore EPIPE here, see
69	+ /* If the other end closed the socket with close() or shutdown(), we
70	+ * receive EPIPE here but we must not close the socket yet: there
71	+ * might still be some data to read. See:
72	* http://lists.freedesktop.org/archives/dbus/2008-March/009526.html
73	*/
74
75	if (_dbus_get_is_errno_eagain_or_ewouldblock () \|\| _dbus_get_is_errno_epipe ())
76	goto out;
77	+
78	+ /* Since Linux commit 25888e (from 2.6.37-rc4, Nov 2010), sendmsg()
79	+ * on Unix sockets returns -1 errno=ETOOMANYREFS when the passfd
80	+ * mechanism (SCM_RIGHTS) is used recursively with a recursion level
81	+ * of maximum 4. The kernel does not have an API to check whether
82	+ * the passed fds can be forwarded and it can change asynchronously.
83	+ * See:
84	+ * https://bugs.freedesktop.org/show_bug.cgi?id=80163
85	+ */
86	+
87	+ else if (_dbus_get_is_errno_etoomanyrefs ())
88	+ {
89	+ /* We only send fds in the first byte of the message.
90	+ * ETOOMANYREFS cannot happen after.
91	+ */
92	+ _dbus_assert (socket_transport->message_bytes_written == 0);
93	+
94	+ _dbus_verbose (" discard message of %d bytes due to ETOOMANYREFS\n",
95	+ total_bytes_to_write);
96	+
97	+ socket_transport->message_bytes_written = 0;
98	+ _dbus_string_set_length (&socket_transport->encoded_outgoing, 0);
99	+ _dbus_string_compact (&socket_transport->encoded_outgoing, 2048);
100	+
101	+ /* The message was not actually sent but it needs to be removed
102	+ * from the outgoing queue
103	+ */
104	+ _dbus_connection_message_sent_unlocked (transport->connection,
105	+ message);
106	+ }
107	else
108	{
109	_dbus_verbose ("Error writing to remote app: %s\n",
110	--
111	cgit v0.10.2
112